Hey, I just met you, and this is crazy, but here's my hashes, so hack me maybe?

Those familiar with password cracking know that KoreLogic'srule set for John the Ripper has become the de facto standard for passwordcracking.

However, as with anything technology related, the rules areslightly starting to show their age, specifically with rules designed to take intoaccount years. So, I decided to take onthe task of making a few modifications to the rule set, this includes updatingthem to take into account the current and prior year, but also reworking someof the rules to eliminate some redundancy.

While updating the various rule sets is fine and dandy, but whatabout taking it a step further and rearranging the order in which they'reapplied? Running the complete KoreLogicrule set takes a lot of time, especially when running them against a respectabledictionary and salted hashes (NTLMv2, Crypt, etc...) When you have limited time during a pentestthis can be fairly problematic - you want to utilize the rules that will net youthe greatest amount of success in the shortest amount of time, leaving the lesssuccessful rules as "Hail Mary passes."

But how do you determine what rules will net the greatestsuccess? Comparing them against oneclient or even a few clients isn't going to give you the sample size you'relooking for. It's time to queue thepassword study from the Global Security Report; once again (spoiler alert) weare collecting hashes to perform a study on for the 2013 Global SecurityReport. Using over 2 million hashes thathave been collected so far as a sample size that cross industries, geographicregions, and encompass large and small businesses, we can give ourselves an ideaof which rules statistically speaking will give us the highest probability ofcracking a password. Then by orderingthese rules properly, one can hope to crack a large percentage of their hasheswithin the first few hours of cracking.

What I did to achieve these rules was use each KoreLogic ruleindividually with a respectable dictionary against the set of hashes, capturethe number of successfully cracked hashes, then delete the results and startagain with the next rule until I had results for each rule. From this I was able to determine which rulesnetted us the greatest result, and the time it took to completely run each rule.

Below is a table ofthe results including the percentage of hashes cracked:

Rule

Cracked

Percentage

Time

AppendJustNumbers

865,303

30.814%

00hr:18min:24sec

L33t

740,824

26.381%

00hr:01min:34sec

ReplaceNumbers

736,767

26.237%

00hr:00min:24sec

AddJustNumbersLimit8

584,001

20.797%

00hr:03min:54sec

AppendNumbers_and_Specials_Simple

549,465

19.567%

00hr:57min:38sec

ReplaceLetters

429,826

15.306%

00hr:00min:40sec

ReplaceLettersCaps

215,115

7.660%

00hr:00min:13sec

Append4Num

136,360

4.856%

00hr:18min:35sec

AppendYears

52,711

1.877%

00hr:00min:26sec

AppendJustSpecials

30,501

1.086%

00hr:01min:46sec

ReplaceSpecial2Special

28,062

0.999%

00hr:00min:20sec

AppendNum_AddSpecialEverywhere

24,378

0.868%

00hr:04min:58sec

PrependNumNum

21,980

0.783%

00hr:00min:24sec

AppendNumNum_AddSpecialEverywhere

21,880

0.779%

00hr:48min:16sec

Append2NumSpecial

18,111

0.645%

00hr:05min:40sec

Append5Num

16,761

0.597%

03hr:04min:07sec

PrependNumNumNum

15,557

0.554%

00hr:02min:19sec

PrependNumNumNumNum

15,148

0.539%

00hr:20min:47sec

Append2Letters

13,682

0.487%

00hr:02min:30sec

AppendSpecialNumberNumber

13,235

0.471%

00hr:05min:42sec

Add1234_Everywhere

13,208

0.470%

00hr:00min:13sec

ReplaceNumbers2Special

11,789

0.420%

00hr:00min:14sec

Append6Num

11,262

0.401%

28hr:58min:53sec

Append3NumSpecial

7,985

0.284%

00hr:54min:00sec

AppendNumNumNum_AddSpecialEverywhere

7,863

0.280%

09hr:08min:04sec

Prepend2NumbersAppend2Numbers

7,609

0.271%

00hr:21min:06sec

AppendSpecial4num

6,576

0.234%

09hr:22min:31sec

Append1_AddSpecialEverywhere

6,545

0.233%

00hr:00min:46sec

PrependSeason

5,905

0.210%

00hr:00min:41sec

Append4NumSpecial

5,501

0.196%

08hr:56min:19sec

AppendYears_AddSpecialEverywhere

4,221

0.150%

00hr:45min:24sec

AppendSpecial3num

3,671

0.131%

00hr:51min:30sec

AppendSpecialNumberNumberNumber

3,671

0.131%

00hr:55min:57sec

MonthsFullPreface

3,383

0.120%

00hr:00min:13sec

Add2010Everywhere

3,151

0.112%

00hr:00min:14sec

Prepend4LetterMonths

2,938

0.105%

00hr:00min:13sec

PrependJustSpecials

2,628

0.094%

00hr:01min:54sec

AddShortMonthsEverywhere

2,282

0.081%

00hr:01min:09sec

PrependYears

1,716

0.061%

00hr:00min:17sec

PrependHello

1,696

0.060%

00hr:00min:16sec

AppendCap-Num_or_Special-Twice

1,430

0.051%

01hr:17min:22sec

PrependDaysWeek

1,417

0.050%

00hr:06min:21sec

PrependNumNumAppendSpecial

1,295

0.046%

00hr:05min:59sec

AppendJustSpecials3Times

816

0.029%

00hr:56min:03sec

PrependAndAppendSpecial

648

0.023%

00hr:01min:58sec

PrependNumNumSpecial

477

0.017%

00hr:06min:26sec

Prepend4NumAppendSpecial

379

0.013%

10hr:29min:17sec

DevProdTestUAT

370

0.013%

00hr:00min:13sec

AppendMonthDay

330

0.012%

00hr:02min:10sec

AppendCurrentYearSpecial

311

0.011%

00hr:00min:15sec

AppendSpecialLowerLower

239

0.009%

00hr:33min:27sec

PrependSpecialSpecial

192

0.007%

00hr:02min:15sec

PrependSpecialSpecialAppendNumbersNumber

157

0.006%

02hr:14min:19sec

PrependSpecialSpecialAppendNumber

129

0.005%

00hr:12min:53sec

AppendSeason

124

0.004%

00hr:00min:42sec

PrependCAPCAPAppendSpecial

104

0.004%

00hr:21min:15sec

PrependNumNum_AppendNumSpecial

99

0.004%

00hr:59min:41sec

PrependSpecialSpecialAppendNumbersNumberNumber

38

0.001%

22hr:46min:12sec

AddDotCom

22

0.001%

00hr:00min:12sec

AppendMonthCurrentYear

8

0.000%

00hr:00min:13se

As you can see, the number ofcracked hashes drops off fairly significantly after ReplaceLettersCaps. However there are some rules that in myopinion should still be applied, specifically ones that prepend and appendnumbers, given that our top rule was AppendJustNumbers. The time tradeoff required for a few additionalrules seems like a worthwhile compromise when you look at their success. Based off this information, here's the listof rules that I'm proposing complete with modifications and rule additions:

Rule

Cracked

Time

Notes

PrependAppend1-4

909,146

00hr:39min:16sec

Replaced AppendJustNumbers

L33t

740,824

00hr:01min:30sec

ReplaceNumbers

736,767

00hr:00min:23sec

AddJustNumbersLimit8

584,001

00hr:03min:51sec

AppendNumbers_and_Specials_Simple

549,465

01hr:05min:11sec

ReplaceLetters

429,826

00hr:00min:42sec

ReplaceLettersCaps

215,115

00hr:00min:13sec

Append4Num

Included in AppendJustNumbers

AppendYears

Included in AppendJustNumbers

AppendJustSpecials

30,501

00hr:01min:56sec

ReplaceSpecial2Special

28,062

00hr:00min:19sec

AppendNum_AddSpecialEverywhere

24,378

00hr:06min:10sec

PrependNumNum

Included in AppendJustNumbers

AppendNumNum_AddSpecialEverywhere

21,880

00hr:56min:53sec

Append2NumSpecial

18,111

00hr:05min:38sec

Append5Num

16,761

02hr:53min:16sec

PrependNumNumNum

Included in AppendJustNumbers

PrependNumNumNumNum

Included in AppendJustNumbers

Append2Letters

13,682

00hr:02min:28sec

AppendSpecialNumberNumber

13,235

00hr:05min:36sec

Add1234_Everywhere

13,208

00hr:00min:12sec

ReplaceNumbers2Special

11,789

00hr:00min:13sec

Append6Num

11,262

28hr:22min:48sec

Append3NumSpecial

7,985

00hr:59min:20sec

AppendNumNumNum_AddSpecialEverywhere

7,863

09hr:18min:31sec

Prepend2NumbersAppend2Numbers

7,609

00hr:20min:00sec

Add2011Everywhere

6,773

00hr:00min:14sec

New Rule

AppendSpecial4num

6,576

08hr:34min:30sec

Append1_AddSpecialEverywhere

6,545

00hr:00min:46sec

PrependAppendSeason

6,072

00hr:06min:36sec

Replaced KoreRulesPrependSeasonAdded more l33t characters

Append4NumSpecial

5,501

08hr:13min:32sec

AppendYears_AddSpecialEverywhere

4,221

00hr:37min:14sec

AppendSpecial3num

3,671

00hr:43min:48sec

AppendSpecialNumberNumberNumber

3,671

00hr:45min:14sec

MonthsFullPreface

3,383

00hr:00min:11sec

Add2010Everywhere

3,151

00hr:00min:14sec

PrependMonthAbbrev

4,265

00hr:00min:13sec

Replaced Prepend4LetterMonthsAdds 3 letter months

PrependJustSpecials

2,628

00hr:01min:39sec

AddShortMonthsEverywhere

2,282

00hr:00min:51sec

PrependYears

Included in AppendJustNumbers

PrependHello

1,698

00hr:00min:31sec

Added more l33t characters

Add2012Everywhere

1,498

00hr:00min:12sec

New Rule

AppendCap-Num_or_Special-Twice

1,430

01hr:05min:18sec

PrependDaysWeek

1,417

00hr:13min:47sec

Added more l33t characters

PrependNumNumAppendSpecial

1,295

00hr:04min:55sec

Append2011Special

850

00hr:00min:15sec

New Rule

AppendJustSpecials3Times

816

00hr:43min:28sec

PrependAndAppendSpecial

648

00hr:01min:39sec

PrependNumNumSpecial

477

00hr:04min:59sec

Append2012Special

383

00hr:00min:16sec

New Rule

Prepend4NumAppendSpecial

379

08hr:42min:23sec

DevProdTestUAT

370

00hr:00min:11sec

AppendMonthDay

330

00hr:02min:00sec

Append2010Special

311

00hr:00min:16sec

Replaced AppendCurrentYearSpecial

AppendSpecialLowerLower

239

00hr:30min:13sec

PrependSpecialSpecial

192

00hr:01min:43sec

PrependSpecialSpecialAppendNumbersNumber

157

01hr:49min:40sec

PrependSpecialSpecialAppendNumber

129

00hr:11min:43sec

AppendSeason

Included in PrependAppendSeason

PrependCAPCAPAppendSpecial

104

00hr:22min:39sec

PrependNumNum_AppendNumSpecial

99

01hr:01min:12sec

AddTLD

72

00hr:00min:42sec

Replaced AddDotCom, Added all TLDs

PrependSpecialSpecialAppendNumbersNumberNumber

38

19hr:49min:25sec

AppendMonth2011

24

00hr:00min:13sec

New Rule

AppendMonth2010

8

00hr:00min:15sec

Replaced AppendMonthCurrentYear

AppendMonth2012

7

00hr:00min:15sec

New Rule

Afterlooking at these rules, here are a few answers to questions you might have:

Why are you not including 5 and 6 digits inPrependAppendJustNumbers?

It's simply a time versus success tradeoff. Cracking a 5th and 6thdigit takes a significant amount of time to crack with very little result,whereas cracking 1-4 digits not only takes very little time, but achievesextremely high success.

Why are 2012 based rules netting little success?

While I don't have concrete evidence, my guesswould be that users might not have been given enough opportunity to changetheir password yet. We've beencollecting hashes since the 1st of year, and given an average passwordexpiration policy within corporations of approximately 90 days, users may haveonly changed their password once or twice during 2012 depending on when thehashes were collected.

What was the wordlist size and hardware was usedto crack the hashes?

8 x 2.6ghz AMD Opteron Cores (Bulldozer) and a 1,167,382word dictionary. Remember, since NThashes are unsalted, the number of hashes you are attempting to crack will notaffect the cracking time, assuming you aren't taking into account possibleprogram inefficiencies with large hash lists. The dictionary size and hardware specifications do factor into the time.

I've uploaded the updated ruleset with a few variations to the SpiderLabs github in the following formats:

All rules built into 1 main John ruleset (Eliminates the need for loops in scripts)

All rules but kept separated

Top 7 based on stats built into 1 main John ruleset

Top 7 but kept separated

We'll be hopefully making updates in the future, and suggestions are defintely welcome, feel free to clone the repository.